No, you do need to do that.

Andrew Hernandez · ‎12-03-2015

Greetings,

My question is about what type of NAT to use in this scenario. I usually don't do NAT in my configurations, unless I'm implementing the typical private to public internet one to many situation. The internet network I created is currently routable across my network, however, the customer has assigned another private block which I'm currently using at another location. I would like to know if it's easier to do a one to one or easier to do a one to many instance of NAT translation. I would like to keep using my private space I've already assigned, mask their private with one of mine. is this possible?

Example: 10.41.244.0 /27 -> NAT translate (1:1 or 1:Many) -> 10.160.0.0/27 -> VPN Inside Tunnel -> Inside Servers then back to the customer site in reservse order.

Any advice will be helpful.

Thanks,
Andrew

Masoud Pourshabanian · ‎12-03-2015

Hello,

If you campare them in terms of being easy or difficult, both of them are easy.

It is depending on whether you are going to have policy per IP or not, because if you do 1:many NAT, you will only see one IP other side of the network so implementing policy per IP is not possible. Static NAT is also possible, but you need to configure about 30 lines of NAT since your prefix is /27. I am suggesting to configure 1:many nat if you do not have specific requirement to put policy per IP.

Let me know if you need an example.

Hope it helps,

Masoud

Andrew Hernandez · ‎12-03-2015

Please, an example would be great. I just went over the static NAT and your right, however, I don't adding in the extra lines though.

Thanks,
Andrew

Masoud Pourshabanian · ‎12-03-2015

Do you have any NAT configure on you router? Do you need an example of static NAT or dynamic?

Masoud

Andrew Hernandez · ‎12-03-2015

Static please. Right now I'm don't have any NAT configured on the router, I usually just route the private space I reserve for the customer back to our network over an IPSec tunnel. This new site, the customer is wanting to control DHCP and this is the reason why I would like to translate thier IP scheme to mine when it needs to go out the tunnel, then route it back through the tunnel and translate to its orignal customer IP.

Thanks in advance,

Andrew

Masoud Pourshabanian · ‎12-03-2015

I supposed

interface fa0/0 is connected to you customer (outside of your network)

interface fa1/0 is connected to VPN tunnel and your server (inside of your network)

interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat outside

interface FastEthernet1/0
ip address 2.1.1.1 255.255.255.0
ip nat inside

!
ip nat outside source static 10.41.244.1 10.160.0.1
ip nat outside source static 10.41.244.2 10.160.0.2

ip nat outside source static 10.41.244.3 10.160.0.3

and so on

IPs on the interfaces can be any IP addresses. It does not have be the same as IPs in your NAT statement.

Masoud

Andrew Hernandez · ‎12-03-2015

Perfect, very easy to follow. Would that also work in reverse order or would I have to create and NAT in to translate my network back to the customer network when I send that traffic back to that customer interface?

Masoud Pourshabanian · ‎12-03-2015

No, you do need to do that. It will work in reverse order as well. Just make sure your routing works correctly.

1-route 10.160.0.0/27 to NAT router on your servers and tunnel.

2-route 10.41.244.0 /27 to outside on your NAT router.

Masoud

NAT Suggestions